Cybersecurity awareness month is here. Each year, it’s important to explore any new tactics the industry can leverage to raise awareness. The threat landscape is evolving and expanding too quickly for us to keep up. So, we can’t afford to rely on the same awareness gambits year after year.
For as long as the security industry has existed, fear has always been a key ingredient for changing behavior. But if we’re going to foster lasting and positive change, we can no longer scare people into becoming more secure. We may not even be able to train people to become more secure, either.
Some groundbreaking insight into security awareness shows how companies can address the human element in their risk management strategy. Masha Sedova, founder of Elevate Security and regular security awareness presenter for RSA, Blackhat and SANS, has the insight.
In addition, we’ll discuss how to motivate employees. What strategies can you put into place to minimize the human element of risk?
Why We Need to Rethink Cybersecurity Awareness
Sedova, a former Salesforce executive who founded Elevate Security with fellow Salesforce executive Robert Fry, wanted to address the human element of security. So, they created the world’s first human attack surface management platform.
According to Sedova, straight-up security training isn’t effective. If it was, we would have seen the cybersecurity awareness problem solved at least a decade ago.
“What I see us doing is iterating on something that is fundamentally only one tool in the larger tool belt,” she said. “If we keep relying on it, we’re not going to move forward.”
Sure, we can keep improving our training by gamifying and making it more fun and animated. We’ve written about these methods before, and they have proven to be more effective than old-school training tropes. But Sedova argues that even these assume we’re going to change people and make them error-free.
“It goes against all human nature,” she said. “We will all make mistakes. We need to think about the problems a lot more broadly.”
Getting Every Employee on Board
When it comes to cybersecurity awareness training, it seems like the only way to succeed fully is to get every single employee on board. After all, your posture is only as good as that last employee who may click on something they shouldn’t have. When we spoke to cybersecurity expert Bruce Schneier about it in 2019, he said, “Security awareness doesn’t work as well as people think it does. It’s a way of blaming the user.”
Sedova contends that we are aiming too high with what we expect from our employees. “Our firewalls absolutely let things in that they shouldn’t, and sometimes our antivirus won’t detect zero days,” she said. “Why do we have that?”
Just because we can’t secure every person, does that mean we shouldn’t do it?
“You can’t secure against every attack and every piece of malware, but we don’t hold our technology to the same standards,” Sedova said. “Somehow, we hold the human element to totally different standards, where it’s like 100% or nothing.”
As ransomware attacks mount and threats that take advantage of the human element skyrocket, the bar for effective training rises so high it verges on out of reach.
“Our people define the security posture of our organization, no matter how many tools we throw at it,” Sedova explained. “If we do not understand where we are risky, where we are vulnerable and where we are strong, we can’t start addressing things.”
So, the way we work keeps evolving. Sedova proposes we begin thinking about securing our workforce and our employee base in a different way. After all, the stakes are higher than ever.
What Is the Human Attack Surface?
The human attack surface is much like its technical counterpart. It is a function of the probability and the possibility of an attacker getting into your organization. Instead of looking at it as a hardware or software entry point, the human attack surface is about being aware of risky employees and the actions they take.
Sedova defines your human attack surface by answering the following question: What are the chances that an attacker is going to get into my organization through a human being — and how do I measure and mitigate that risk??
According to Sedova, the approach involves three main components: access, exposure and frequency. You can map compensating controls to address what you can do in your environment to help boost cybersecurity.
For example, you may have employees who represent a high risk of account takeover because they have fallen for phishing emails or browse risky websites. In those cases, you can also introduce compensating controls like MFA, use a password manager or frequent password rotation.
“Their behavior becomes less risky because you have technology controls in place,” Sedova said. “You can apply appropriate controls to your high-risk points. You don’t have to apply blanket security restrictions on everybody, but only match it to the people who need it when they need it.”
“It is the actions that lead to breaches; it’s not knowledge,” she said. “You can have people who have perfectly answered all of your quiz questions that then go out and download malware. There’s a very big difference between knowledge and action.”
If you’re not sure how to identify your risky employees, the old adage —the best predictor of future behavior is past behavior — applies.
We think about this when we model risk in other places, like credit scores or car insurance. The human attack surface takes that same model and applies it to security.
“By taking a look at the past security decisions — both good and bad — that employees make in an environment, you can actually paint a picture of who is more security-minded than others.”
Human Risk Management
When you deploy a human risk management solution like Elevate Security, you can track numerous categories based on tools and tech your teams already have in place. That’s even more important if you use tools like endpoint detection and response (EDR) since you already have the data you need.
For example, perhaps some employees try to download malware, click on a phishing link or get a data loss prevention (DLP) violation. While your defenses may prevent the incident, it’s clear that some staff lack awareness about your cybersecurity policies. If you track these behaviors, you gain critical knowledge of where your human attack surface weaknesses lie.
As important as it is to track ‘bad’ behavior, tracking positive behavior is equally crucial. Sedova suggests that tracking things like the use of MFA, using a password manager and how often employees log in are high indicators of security risk.
“In fact, we’ve done some research reports that show that people who use a password manager regularly have a much lower chance of introducing malware — not because your password manager stops malware, but because it’s an indicator of mindset and security vigilance,” she said. “By mapping all of these behaviors of what an employee does on a regular basis, you can start painting a user risk or user reputation score that then gives you an understanding of what people are good at, what they need to do, what they need to do to improve and where they’re already excellent. This data becomes pure gold in how you want to take action.”
Getting Employees to Buy In to Cybersecurity Without Fear
The key to using a human attack surface strategy is to be transparent. Sedova advises that employees always know what their score is and which factors came into play. This way, they have the agency and choice to change that status — or understand that their controls, environments, training and whatever you give them is a function of their risk level.
If an employee spends several months with a good track record, for instance, their score will go up. Rewarding employees for good scores also goes a long way, Sedova said. “A really key piece here to close that loop is that employees need to know where they stand, and why they stand the way they do, so they are brought along on the journey.”
For anyone creating or leading cybersecurity awareness training, you’ve probably used some type of fear element to get your point across. And while it may be effective to a certain degree, many studies (and experts) argue that fear only goes so far.
According to Sedova, what you need to consider is the long-term impact of your fear-based messaging.
“What happens when we get too much bad news happening is we shut down; we block out the message,” she said. “It becomes counterproductive.”
Instead of fear, Sedova has seen tremendous results in companies that use positive reinforcement. For example, let’s say you want to prevent phishing attacks. You could tell employees that clicking on a phishing email will lead to a $20 million breach and put you out of business. Or, you could reward those with solid track records or departments that have gone several months without clicking on a malicious link or email. Perhaps you give them Friday off or a party with pizza and beer.
“You don’t want to be the person who resets your clock,” Sedova said. “You don’t want to be the person who lets your teammates down. That is very deeply wired and ingrained in us. You can’t create a resilient security culture based on fear alone because it starts failing over time. But if you get everyone involved, what happens is people then start helping each other … you can leverage the human element as part of your defense.”
Cybersecurity Takeaways for the Enterprise
Once you determine which of your employees represent more of a risk and those that don’t, what strategies can you implement?
When security teams come across a risky employee, they typically have a few options, depending on the type of organization. They could spend more time training them, reprimand them or even fire them.
Sedova suggests one is a feather while the other is a hammer, neither of which are very effective.
“When you understand, at an individual level, how risky somebody is, there are a lot more nuances that you can apply,” she said. “Assuming that you understand the risk in certain areas (and for certain employees), security teams can then use the technologies and the controls that they have available to them to create safety nets for that employee (like zero trust and IAM).”
For risky employees who need access to critical environments, you can add more step-up authentication like MFA before logging in if you don’t want to add more controls. For those who may cause an incident because of how they interact, you might log that person’s activity closer — monitor and store it to help you recover from an incident much faster.
Solving People Problems
By knowing your human attack vectors, you get insight into who are your most likely entry vectors. Perhaps out of 10,000 employees, only 200 are deemed risky. How do you deal with them?
It could be training plus more logging, or training and reviewing their access, Sedova said. Do they really need access to all these critical environments? How much of it is a must-have right now?
“This allows for a much more tailored and personalized approach to security … and adds an additional piece of context and knowledge in the authentication workflow.”
All of this brings us back to being transparent, which is still underrated as a way to foster a security culture. Employees need to know where they stand and why, which, in turn, allows the security team to take action.
The more transparent your security team is, the less they will be seen as the enemy.
“Based on their decisions, employees understand that their work environment is matched to their risk level,” Sedova said. “It allows people a sense of autonomy. It’s not the security team sitting in an ivory tower.”
Isn’t that what cybersecurity awareness is all about — how employees perceive security? If security is not the enemy, perhaps it can be the hero we need given the threat landscape.